ATM hackers steal $9 million in a day

A carefully coordinated global ATM heist last November resulted in a one-day haul of $9 million in cash, after a hacker penetrated a server at payment processor RBS WorldPay, New York's Fox 5 has reported.

RBS WorldPay announced on 23 December that they'd been hacked, and personal information on approximately 1.5 million payroll-card and gift-card customers had been stolen. (Payroll cards are debit cards issued and recharged by employers as an alternative to paychecks and direct-deposit.) Now we know that account numbers and other magnetic-stripe data needed to clone the debit cards were also compromised in the breach.

At the time, the company said it identified fraudulent activity on only 100 cards, making it sound like small beans, but it turns out the hacker managed to lift the withdrawal limits on those 100 cards, before dispatching a global army of cashers to drain them with repeated rapid-fire withdrawals. More than 130 ATMs in 49 cities from Moscow to Atlanta were hit simultaneously just after 8am GMT on November 9.

A nearly identical cybercrime feeding frenzy targeted payment card company iWire in late 2007. From September 30 to October 1 of that year - just two days - four iWire payroll cards were hit with more than 9,000 actual and attempted withdrawals from ATM machines around the world, resulting in losses of $5 million.

A similar method was employed against Citibank account holders last year, after a processing server that handles withdrawals from Citibank-branded ATMs at 7-Eleven convenience stores was breached. In that case, cashers converged on New York and withdrew at least $2 million from Citibank accounts, sending 70 per cent of the take back to a mysterious hacker kingpin in Russia.

Could all three breaches be the work of a single wealthy cybercrook sitting on piles of cash somewhere in Moscow? Some of the cashers in the iWire and Citibank caper are cooperating with the FBI, so we may eventually find out.

What's clear is that this is a great time to be a hacker. In just over one year we've seen these kinds of breaches go from virtually unheard of into a multimillion dollar industry.

In September, Canadian police announced the arrest of Israeli hacker Ehud Tenenbaum for allegedly penetrating the Calgary-based financial services company Direct Cash Management and increasing the cash limits on prepaid debit cards he and his co-conspirators legitimately purchased. The caper allegedly netted the crooks the equivalent of $1.7 million.

Despite much-ballyhooed payment card security standards, the industry responsible for protecting our money appears to be as leaky as a sieve. As always, consumers aren't responsible for fraudulent withdrawals that they find and promptly report to their card issuer.